Data breach in African organisations

August 29, 2016

We live in a world where almost everyone with a computer and internet access is a tech expert and thanks to immense data available online, they can verbally convince you how best to solve a problem.But, how do African organisations and their Information Technology departments rate when it comes to protecting themselves and their organisations against the ever present cyber risks and cybercrime.I went on a fact finding mission and the answer is, on average, extremely poorly.The role organisation’s IT department play in helping to win this war depends on whether the executive and leaders in organisations expect their IT departments to carry the full accountability for protecting them against the risks of either an accidental data breach or a loss from cybercrime. Much has been written in the business and IT industry about the transformation underway of the role, structure and leadership of IT departments within organisations.These changes are in response to influences such as the rapid change in technology, financial austerity, easy access to user friendly consumer technologies, cloud computing, the need for speed, smartphones and other mobile computing devices.Demands placed on IT departments are diverse and complex.In South Africa, an IT director told me that his responsibilities include aspects such as risk management, cost control, driving innovation and so on.His departments has interdependencies between differing systems, technologies, business processes, governance and risk profiles are often not, and this is a challenge facing him.In her organisation, a Lusaka based IT manager, its easier because of access to many business ready technologies makes it easier for executives and managers to take on the roles and responsibilities normally held by her. This according to her is driven by the need to meet short term, localised demands that result in diluting influence of her department. In Tanzania, more than half of IT projects are now being funded by the business executives, and not the IT department, with that trend expected to continue rising.Some organisations are said to be at war with their own IT departments as a result. In my view, this situation should be remedied swiftly if organisations are to maximise the value of enterprise technologies with known risk and known cost.

In Kenya, vendor predation, where new technologies are pitched direct to the business leaders and bypass the IT departments, is also common. Executive discussions always boil down to cutting IT costs and usually have little to do with the technologies used or how they are managed.It is in such environments that cybercrime is likely to be a real threat. However, the most effective antidote to cybercrime and the associated risks of data breaches is having a high performing IT function with a truly peer relationship with every level of the organisation.This will allow for the optimal design, development, implementation and ongoing management of information security measures that make sense for the organisation. A recent African survey of more than 300 executives asked how they approach the development of a corporate strategy.The survey found that just 27% said their companies have a distinct process for developing corporate strategy. More importantly nearly a quarter thought their companies should engage in corporate strategy development on an ongoing basis as opposed to episodically, compared with only 12% who say they currently do.Therein lies the challenge for IT departments. If organisations have an ill defined, outdated or poorly articulated business strategy, then the idea of developing a secure, high value, resilient and adaptive enterprise IT capability is ideal.Many Boards of non IT African organisations have low levels of digital literacy.Digitally illiterate directors are easy prey for technology evangelists and vendors who may promote a technology solution or approach but one that may not be the right one for the organisation.The analogy here is like having a bank without any of the board members having any substantial banking and finance experience.Change is inevitable and that will arise on both sides of the business and IT department fence.It’s time that appropriately skilled and structured, business relevant IT departments are brought in from the cold and allowed to make a real contribution to organisation’s goals and objectives with known value, known cost and known risk.If not, chances are their competitors are already well down this path.

Contador Harrison